[syslog-ng] Converting multiline text input to concatanated single-line syslog format

Szalai, Attila Attila.Szalai at morganstanley.com
Fri Sep 30 16:47:59 CEST 2016 

Hi,

I'm not quite sure if it still relevant, but the Administration guide of Syslog-ng PE 6 show the following for the flags(no-multi-line):

"Note that this happens only if the underlying transport method actually supports multi-line messages. Currently the rltp, syslog(), network(), unix-dgram() drivers support multi-line messages"

https://www.balabit.com/documents/syslog-ng-pe-latest-guides/en/syslog-ng-pe-guide-admin/html/reference-source-syslog-chapter.html#idp5523888

I do not know if it would like to refer to the source or the destination either. But I think it should be ironed out in the BalaBit side, because if I remember correctly the file source does support multi-line messages. But if it talks about the destination drivers (in which case I think it should be articulated better), that can explain why it not worked for file destination and why it working for udp.

From: syslog-ng-bounces at lists.balabit.hu [mailto:syslog-ng-bounces at lists.balabit.hu] On Behalf Of Newport, Brendan (Contractor - Security Operations - Development & Support)
Sent: Friday, September 30, 2016 4:35 PM
To: syslog-ng at lists.balabit.hu
Subject: [syslog-ng] Converting multiline text input to concatanated single-line syslog format

Classification: Public

Ha!

I think I might have been trying to achieve the impossible - getting syslog-ng to covert multiline log messages into concatenated syslog messages.

That doesn't appear to work. But I defined syslogd instance to direct local5.info messatges received from my syslog-ng client into a log file and all works fine!

more local5.log

Sep 30 14:45:35 <hostname> local5:info <hostname> Table: IMP-386: ORACLE error 386 encountered  ORA-01017: invalid username/passwo
rd; logon deniedUsername: Connected to: Oracle Database 10g Enterprise Edition Release 10.2.0.3.0 - 64bit Production
Sep 30 14:45:35 <hostname> local5:info <hostname> Table: IMP-00034: Warning: FromUser "FALBOS" not found in export file With the P
artitioning, OLAP and Data Mining options Export file created by EXPORT:V10.02.01 via conventional path
Sep 30 14:45:35 <hostname> local5:info <hostname> Table: IMP-386: ORACLE error 386 encountered  Warning: the objects were exported
by FALCON, not by you import done in WE8ISO8859P1 character set and AL16UTF16 NCHAR character set

Using this config is syslog-ng.conf;

source s_table { file("<path to input multi-line log file>" multi-line-prefix("IMP") flags(no-parse) flags(no-multi-line)
program_override("Table") default-facility(local5) default-priority(info)); };

filter f_local5_info { facility(local5) and level(info); };

and with the destination defined as a udp IP address to port 514;

log { source(s_table); filter(f_local5_info); destination(d_syslog_udp); };

As the desire is to get multiline non-syslog logs off-host to Qradar as syslog messages, that's the POC passed fine!




Lloyds Banking Group plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC95000. Telephone: 0131 225 4555. Lloyds Bank plc. Registered Office: 25 Gresham Street, London EC2V 7HN. Registered in England and Wales no. 2065. Telephone 0207626 1500. Bank of Scotland plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC327000. Telephone: 03457 801 801. Cheltenham & Gloucester plc. Registered Office: Barnett Way, Gloucester GL4 3RL. Registered in England and Wales 2299428. Telephone: 0345 603 1637

Lloyds Bank plc, Bank of Scotland plc are authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and Prudential Regulation Authority.

Cheltenham & Gloucester plc is authorised and regulated by the Financial Conduct Authority.

Halifax is a division of Bank of Scotland plc. Cheltenham & Gloucester Savings is a division of Lloyds Bank plc.

HBOS plc. Registered Office: The Mound, Edinburgh EH1 1YZ. Registered in Scotland no. SC218813.

This e-mail (including any attachments) is private and confidential and may contain privileged material. If you have received this e-mail in error, please notify the sender and delete it (including any attachments) immediately. You must not copy, distribute, disclose or use any of the information in it or any attachments. Telephone calls may be monitored or recorded.


________________________________

NOTICE: Morgan Stanley is not acting as a municipal advisor and the opinions or views contained herein are not intended to be, and do not constitute, advice within the meaning of Section 975 of the Dodd-Frank Wall Street Reform and Consumer Protection Act. If you have received this communication in error, please destroy all electronic and paper copies and notify the sender immediately. Mistransmission is not intended to waive confidentiality or privilege. Morgan Stanley reserves the right, to the extent permitted under applicable law, to monitor electronic communications. This message is subject to terms available at the following link: http://www.morganstanley.com/disclaimers  If you cannot access these links, please notify us by reply message and we will send the contents to you. By communicating with Morgan Stanley you consent to the foregoing and to the voice recording of conversations with personnel of Morgan Stanley.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.balabit.hu/pipermail/syslog-ng/attachments/20160930/4dc60a6e/attachment-0001.htm

More information about the syslog-ng mailing list